ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1535

术语表: /attack/glossary

未使用/不受支持的云区域

攻击者可能会在未使用的地理服务区域中创建云实例,以逃避检测。通常通过损害用于管理云基础架构的帐户来获得访问权限。

云服务提供商通常会在全球范围内提供基础架构,以提高性能,提供冗余并允许客户满足合规性要求。通常,客户只会使用可用区域的一部分,而不会主动监视其他区域。如果对手在未使用的区域中创建资源,则它们可能能够被发现而无法运作。

这种行为的变体利用了跨云区域的功能差异。攻击者可以利用不支持高级检测服务的区域,以避免检测其活动。例如,并非在每个区域都支持AWS GuardDuty。

恶意使用未使用的AWS区域的一个示例是通过资源劫持 (T1496)来开采加密货币,随着时间的推移,这可能使组织花费大量金钱,具体取决于所使用的处理能力。

Unused/Unsupported Cloud Regions

Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.

Cloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.

A variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity. For example, AWS GuardDuty is not supported in every region.

An example of adversary use of unused AWS regions is to mine cryptocurrency through Resource Hijacking (T1496), which can cost organizations substantial amounts of money over time depending on the processing power used.

标签

ID编号: T1535

策略: 防御闪避

平台: AWS,GCP,Azure

所需权限:user

数据源: Stackdriver日志,Azure活动日志,AWS CloudTrail日志

缓解措施

缓解 描述
软件配置 (M1054) 云服务提供商可以允许客户停用未使用的区域。
Mitigation Description
Software Configuration (M1054) Cloud service providers may allow customers to deactivate unused regions.

检测

监视系统日志以查看在所有云环境和区域中发生的活动。配置警报以通知通常未使用的区域中的活动或区域中活动的实例数是否超过某个阈值。

Monitor system logs to review activities occurring across all cloud environments and regions. Configure alerting to notify of activity in normally unused regions or if the number of instances active in a region goes above a certain threshold.